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Description 

The invention relates to a modular printer for a 
transaction terminal which has an input section for in- 
putting a request for printing a value indicia and an op- 
erating section for enabling the terminal to execute the 
printing of the requested value indicia on an article, and 
to such a transaction terminal comprising a modular 
printer. 

The invention is applicable to an automated trans- 
action system which receives a user card having a mi- 
croprocessor for executing secure transactions in which 
an article or item of value is dispensed from a terminal, 
and an account balance stored in the card's memory is 
debited. In particular, the invention is applicable to a 
postage transaction system in which a postage account 
is maintained within the microprocessor card and is 
used in transactions with postage printing and metering 
terminals. 

A system for printing encrypted postage indicia is 
described in EP-A-0 132 782. Apparatus for printing in 
human-readable and machine-readable forms is de- 
scribed in EP-A-0 011 721. 

Point-of-sale (POS) terminals and automated teller 
machines (AT) have been widely used in conjunction 
with various types of cards issued to users for sale or 
credit transactions. For example, banks regularly issue 
account cards which have a magnetically coded number 
stored on a stripe for accessing the user's account 
through ATM terminals. Credit cards which have coded 
magnetic stripes are inserted in ATM or POS terminals 
to access a central account system for authorization of 
a credit transaction. There also have been proposals to 
use cards which have large non-volatile memories, e.g. 
magnetic, integrated circuit (IC), or optical memory stor- 
age, for storing and retrieving information specific to the 
user, such as a medical history, biographical history, 
maintenance of an account balance and transaction his- 
tory, etc. 

These conventional systems generally employ a 
card which has a passive memory that is read in a card 
reader or computerized terminal maintained by a ven- 
dor. The security of the cards is problematic since most 
account cards used conventionally are passive and do 
not authenticate themselves or the particular transac- 
tions for which they are used, instead, on-line access 
through a terminal to a central account system, such as 
bank or credit card account records, is required for con- 
firmation of each transaction. This requirement places 
an access time and cost burden on vendors, such as 
bank branches and retail stores, which must maintain 
the terminal facilities, as well as on the operator of the 
central account system, which must provide sufficient 
on-line access for all the users or the system and ensure 
the security of the entire system. 

By comparison, off-line transactions, i.e. between a 
user with an authorized card and a terminal not connect- 
ed to a central account system, have the advantage that 



the vendor does not have to confirm each transaction. 
A card bearer merely inserts the card in a terminal to 
pay for a purchase and the authorized amount of the 
card is debited for the amount of the transaction. In off- 
s line transactions, the vendor's responsibility can be re- 
duced and the transaction process simplified, so that a 
transaction can be completely automated through the 
use of widely distributed user cards and automated ter- 
minals. 

10 However, off-line transactions are more vulnerable 
to the use of counterfeit cards and to tampering with the 
terminals. Thus, the cards have to be made secure and 
the transactions limited to small amounts. As an exam- 
ple of conventional card security measures, a memory 

is card can be divided into a number of separately valida- 
table sectors of limited value which are irreversibly deb- 
ited with each transaction, as disclosed in U.S. Patents 
4,204,113 and 4,256,955 to Giraud et al. A personal 
identification number (PI N) can be written into the card's 

20 memory at the time of issuance and requested of the 
user with each transaction. Terminals are generally 
made secure by maintaining them in areas to which ac- 
cess is restricted or supervised. However, these require- 
ments increase the cost of operating the system and at 

2S the same time decrease its utility. 

The sophistication of card counterfeiting and credit 
fraud has increased with the widespread use of account 
and credit cards, and even greater security measures 
are currently needed to ensure the validity of card trans- 

30 actions. Conventional microprocessor cards employ 
resident programs to control access to data stored on 
the card, store a selected user PIN to confirm an 
auhorized user, and prevent use of the card if an unau- 
thorized user is detected, such as after a limited number 

35 of incorrect PIN entries. Although such microprocessor 
cards provide greater security than passive cards, the 
overall system is still vulnerable in that, once a valid us- 
er's PIN has been ascertained, a stolen card can be 
used for unauthorized transactions in any terminal, and 

40 the terminals themselves are subject to penetration. 
These vulnerabilities can be offset by limiting the author- 
ized amount of the card, controlling access to the termi- 
nals, or requiring on-line confirmation of transactions. 
However, such measures again increase the cost of the 

45 system and decrease its utility. 

One potential area of application of automated sys- 
tems employing account or credit cards is in postage 
vending and metering machines. Purchases of postage 
and mailing transactions are made primarily in person 

so with cash through tellers at post offices. Only limited 
types of postage stamps can be purchased from public 
vending machines. Most private postage metering ma- 
chines have limited operational features and must have 
their metering devices removed periodically to a post of- 

55 f jce for refilling. The size and weight of the metering de- 
vices make them inconvenient to carry. Some metering 
systems can be refilled by a remote computer, but the 
caller must still phone the computer center and execute 
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the operator's instructions on the postage meter manu- 
ally. 

The elimination of cash purchases, in-person mail- 
ing transactions, unnecessary limitations on automated 
postal services, and physical refilling of postage meter- 
ing machines could greatly reduce the waiting lines at 
post offices and facilitate the wider dissemination of 
postage vending and metering machines for the con- 
venience of users and provide greater access to postal 
services. The use of account or credit cards for auto- 
mated postal machines has been considered. However, 
the security problems of conventional card automated 
systems would require that user cards be validated only 
for relatively small amounts of prepaid postage, that 
vending and metering machines provide limited postal 
products and be refilled with limited total postage 
amounts, and that access to the machines be strictly 
controlled. These restrictions are a substantial obstacle 
which contribute to the difficulty of implementing an au- 
tomated postal transaction system. 

It is a primary purpose of the invention to provide a 
transaction terminal which has security features that will 
facilitate the widespread use of account or credit cards 
for off-line transactions and the dissemination of auto- 
mated transaction terminals to which access does not 
have to be strictly controlled. 

According to one aspect of the invention, there is 
provided a modular printer for a transaction terminal 
which has an input section for inputting a request for 
printing a value indicia and an operating section for en- 
abling the terminal to execute the printing of the request- 
ed value indicia on an article, characterized in that: 

the modular printer includes a printhead and a ded- 
icated microprocessor for controlling the printhead 
physically permanently bonded together such that 
the printhead microprocessor cannot be physically 
tampered with without disabling the printhead; 
the modular printer is removably mounted in the ter- 
minal; and 

the modular printer includes an interface coupled to 
the printhead microprocessor for establishing an 
operative data path connection to the terminal op- 
erating section to receive a print instruction signal 
from the terminal. 

According to another aspect of the invention, there 
is provided a transaction terminal comprising: 

an input section for inputting a request for printing 
a value indicia; 

an operating section for enabling the terminal to ex- 
ecute the printing of the requested value indicia on 
an article; and 

a modular printer removably mounted in the termi- 
nal and including a printhead and a dedicated mi- 
croprocessor for controlling the printhead physically 
permanently bonded together such that the print- 



head microprocessor cannot be physically tam- 
pered with without disabling the printhead, and an 
interface coupled to the printhead microprocessor 
for establishing an operative data path connection 
5 to the terminal operating section to receive a print 
instruction signal therefrom. 

The above-mentioned transaction terminal may be 
applied to postage metering machines. 
10 The above principles, advantages, and features of 
the invention are described in further detail below in con- 
junction with the following drawings, in which: 

Fig. 1 illustrates schematically a preferred embodi- 
es ment of an automated postal transaction terminal 
using a microprocessor card in accordance with 
one embodiment of the invention; 
Fig. 2a shows a structure in the embodiment of Fig. 
1 for executing a secure handshake recognition 
20 procedure between the microprocessor card and a 
value dispensing section of the terminal, and Fig. 
2b outlines the handshake sequence; 
Fig. 3 illustrates the multiple levels of security pro- 
vided by the system of Fig. 1; 
25 Fig. 4 shows another embodiment of the postal 
transaction terminal of the invention which receives 
a rate card for automatically computing postal 
amounts; 

Fig. 5 is a flow diagram of the operation of the ter- 
30 minal of Fig. 4; 

Fig. 6a shows the use of coded marks for authenti- 
cation of a postmark printed by a postal transaction 
terminal, and Fig. 6b shows one exemplary form of 
authentication coding; 
35 Fig. 7 illustrates schematically a preferred embodi- 
ment of an optical scale and an automated waybill 
printing terminal using a microprocessor card and 
a special services card in accordance with another 
embodiment of the invention; 
40 Fig. 8 is a flow diagram of the operation of the ter- 
minal of Fig. 7; 

Fig. 9 illustrates a standard form of waybill and cur- 
sor prompts for filling in its information fields; 
Fig. 10 illustrates schematically a preferred embod- 
45 iment of an automated refilling terminal using a mi- 
croprocessor card, a master card, and a supervisor 
card in accordance with a further embodiment of the 
invention; 

Fig. 11 is a flow diagram of the operation of the ter- 
50 minal of Fig. 10; and 

Fig. 12 shows the integrated system of microproc- 
essor cards, memory cards, and terminals accord- 
ing to another embodiment of the invention. 

55 (n accordance with the basic principles of the inven- 
tion, an automated transaction system employs a micro- 
processor card in an automated transaction terminal, 
various types of microprocessor cards are available 
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commercially, and the technology of manufacturing 
such cards and using them in terminal devices is well 
understood. As an example, Micro Card Technologies 
Inc. of Dallas, Texas, makes the Micro Card Mask M4 
card which is a standard (ISO) size, similar to a credit 
card, having an 8-bit microprocessor, 8 contact pinout, 
9600 bps asynchronous serial exchange protocol, 12.8 
Kbits of Read-Only Memory (ROM), 288 bits of Random 
Access Memory (RAM), and 8 Kbits of Erasable/Pro- 
grammable ROM (EPROM). An array of electrical con- 
tacts provided in one section of the card connects with 
the corresponding contacts in the terminal to allow the 
card microprocessor to communicate data with the ter- 
minal. It is of course understood that other types of data 
communicating connections can be used, such as, for 
example, by magnetic induction. 

The conventional microprocessor card as used in 
the present invention operates by executing an internal- 
ly stored program (firmware) which cannot be accessed 
from the outside. The firmware may be written in rand- 
omized form to secure it against tampering from the out- 
side. An electrically programmable (EPROM) memory 
portion associated with the microprocessor of the card 
is generally divided into three zones: a secret zone 
which can only be accessed internally; a protected read/ 
write zone which can only be accessed after a key 
number or PIN has been confirmed, and a free-reading 
zone. The card is used in a terminal for performing de- 
sired functions in accordance with the rules, proce- 
dures, and data stored in or executed by the card and 
the terminal. 

When conventional microprocessor cards are is- 
sued to individual users, a validation procedure is exe- 
cuted on a validating terminal. The procedure generally 
requires the issuer to enter the correct manufacturers' 
serial number of the card in order to confirm that the card 
is authorized. A PIN is then assigned to or selected by 
the cardholder and stored in the secret zone. Moreover, 
a secret key number unique to the issuer, which may be 
common to a class or chronological series of cardhold- 
ers, may also be stored in the secret zone. In some card 
systems, the secret key is used as an argument of an 
encryption algorithm to send an encrypted word to the 
terminal for verification. If the word can be decoded by 
the terminal to derive the secret key, the card is pre- 
sumed to be authentic. Upon completion of the valida- 
tion procedure, the card MPU irreversibly alters its pro- 
gram so that no further words can be written in the secret 
memory zone. Thereafter, upon using the card, a user 
must enter the correct PIN in order to confirm that the 
card is being used by its authorized user. Conventional 
microprocessor cards also have the feature of tempo- 
rarily or permanently locking the card from use if a suc- 
cession of incorrect PIN entries on a terminal is detect- 
ed. 

At the time of issuance, an amount in monetary or 
other units is validated for the card being issued. In con- 
ventional cards, the amount is permanently written in 



one of a plurality of transaction sectors in the protected 
memory zone. Each time the card is to be "filled" with a 
new amount, one of the sectors is unlocked and written 
with a new amount by the issuer. Thus, a limited author- 
s ized amount can be written each time, and the card is 
then refilled a number of times before its memory space 
is used up. This is a security feature to minimize mone- 
tary loss in case the card is lost or stolen. The authorized 
amount is decremented with each transaction and a new 
balance is written until the balance is used up. Although 
any amount or balance can be written into the card's 
transaction memory, as a further security feature the 
card may prevent a balance being written which ex- 
ceeds a predetermined limit or a previously written bal- 
ance. 

A card automated transaction system incorporating 
the particular features of the invention will now be de- 
scribed. It should be understood that although particular 
embodiments are described, the invention is not limited 
to such embodiments, but encompasses all modifica- 
tions and variations which use the principles of the in- 
vention. For purposes of this description, the transaction 
terminal is selected to be a postage metering terminal 
for printing a postmark on a label, envelope, or waybill 
for articles to be mailed or shipped. However, it should 
be understood that the general principles of the inven- 
tion have broad applicability to any type of transaction 
terminal in which a microprocessor card may be used. 
For example, the terminal may also be a cash or article 
dispensing machine or a printer which prints validation 
marks, coupons, receipts, tickets, inventory documents, 
etc. 

Postage Meterin^Jerminal 

Referring to Fig. 1, a microprocessor card 10, as 
previously described, is adapted to be inserted in a card 
insertion slot 1 1 of an automated terminal device 20. The 
smartcard 10 has a contact section 12 which has a 
number of contacts 1 3 connected to the pinout leads of 
an IC chip including a microprocessor unit (card MPU) 
60 laminated beneath a protective layer of the card con- 
tact section 12. The contacts 13 are mated with corre- 
sponding contacts 23 of a terminal contact section 22 
upon insertion of the card 10 into the slot 11 in the di- 
rection indicated by arrow A. As the card is inserted, its 
leading edge abuts a part of the terminal contact section 
22 which is moved in the same direction, indicated by 
arrow B, so as to merge in operative electrical contact 
with the card contact section 1 2. A trip switch 22a is pro- 
vided at the base of slot 11 , and triggers a start signal 
to an operations microprocessor (terminal MPU) 30 
when the card has been fully inserted in position In the 
slot. 

The card MPU 60 executes an internally stored 
(firmware) program to check whether a requested trans- 
action is authorized and, prior to debiting the card ac- 
count balance, to perform a secure handshake recogni- 
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tion procedure (described further below) with a micro- 
processor in the terminal. Although the handshake pro- 
cedure can be performed with an operations microproc- 
essor for the terminal, or one remote to the terminal, it 
is preferred in the invention that the procedure be per- 
formed with a secure microprocessor embedded in the 
actual value dispensing section of the terminal. The val- 
ue dispensing section is a separate element in the ter- 
minal, and its microprocessor is made physically se- 
cure, such as by embedding it in epoxy, so that any at- 
tempt to tamper with it would result in rendering the val- 
ue dispensing section inoperative. For the postal trans- 
action terminal of the invention, the microprocessor is 
embedded in the printer unit which prints the postmark. 

The terminal contacts 23 are connected with the 
functional parts of the terminal, including a Clock syn- 
chronizing connection 24, a Reset connection 25, an op- 
erational voltage Vcc connection 26, an Input/Output (I/ 
O) port 27, an EPROM-writing voltage Vpp connection 
28, and a ground connection 29. The terminal MPU 30 
controls the interface with the card and the operation of 
the various parts of the terminal, including a keyboard 
31 , a display 32, such as an LCD, and a postmark printer 
40, which is the value dispensing section of the terminal. 
A power source Vo is provided by a battery and/or an 
external AC or DC line to power the various parts of the 
terminal. 

The printer 40 has a microprocessor unit (printer 
MPU) 41 which individually and uniquely controls the 
operation of a print head 42, such as an electrothermic 
or impact print head. The MPU 41 executes an internal 
program (firmware), like the card microprocessor, so 
that it cannot be tampered with from the outside. The 
printer MPU's internal program includes unique encryp- 
tion algorithms parallel to those stored in the card's mi- 
croprocessor, installed by the manufacturer, so that the 
printer MPU can execute a secure handshake recogni- 
tion procedure with the card's microprocessor to author- 
ize a requested transaction. The MPU 41 is also formed 
integrally with the print head 42, such as by embedding 
in epoxy or the like, so that it cannot be physically ac- 
cessed without destroying the print head. Thus, accord- 
ing to the invention, the print head 42 of the postage 
metering terminal 20 can only be operated through the 
MPU 41, and will print a postmark only when the hand- 
shake recognition procedure and a postmark print com- 
mand have been executed between the card MPU and 
the printer MPU 41. 

When a terminal is to be installed by the issuer in a 
location or distributed to a retail intermediary for field 
use, the issuer may also execute a validation procedure 
for the terminal similar to that for the card. A secret key 
number may be written in the secret memory zone of 
the printer MPU 41 , so that postage printing transactions 
can only be executed with cards provided with the cor- 
responding secret key number. Thus, cards validated by 
another issuer, even though obtained from the same 
manufacturer, will not be usable in the first-mentioned 



issuer's machines. 

The terminal MPU may of course be used for the 
handshake recognition procedure. However, it is prefer- 
able to have the procedure executed by the part which 
s is actually dispensing the article of value, and to leave 
the terminal MPU operable for general terminal opera- 
tions. A machine I D number (Ml N) may also be assigned 
to the terminal so that it can be recorded in the transac- 
tion history maintained on the card. As a further feature, 
10 the Ml N for one or more of the issuer's terminals can be 
stored in cards which are to be used only in those ter- 
minals. Thus, in an automated terminal system provided 
for one company, the terminals within the company can 
only be used with the cards issued to the employees of 
that company which have the company's secret key 
number and, optionally, the terminals within a depart- 
ment of the company may be configured to accept only 
cards provided with the MINs of that department's ma- 
chines. 

The interactive operation of the cardAerminal sys- 
tem will now be described. Upon inserting a card in slot 
11 , the trip switch 22a is triggered, and the terminal MPU 
30 initiates an identification request procedure to con- 
firm that the card is being used by an authorized user. 
For example, the terminal MPU may cause a prompt to 
appear on the display 32 requesting that the user enter 
a PIN. The number entered by the user is sent by the 
terminal MPU to the card MPU where it is checked 
against the PIN number(s) stored in the secret zone of 
the card's memory. If the number matches, the card 
MPU notifies the terminal MPU 30 to proceed. If the card 
is restricted for use only in particular machines, the card 
may request the terminal's MIN and check it against a 
stored list of authorized terminal numbers. If the terminal 
is restricted for use only with certain cards, the terminal 
may check the PIN or a card identification or account 
number against a stored list of authorized card numbers. 
As another security feature, the card program may 
check the number of incorrect PIN entries attempted or 
a card expiration date written in memory at the time of 
issuance. If the incorrect PIN entries exceed a prede- 
termined number, or if the current date indicated from 
the terminal MPU 30 is past the expiration date, the card 
MPU 60 can lock the card against further use until the 
user has had it revalidated by the issuer. 

If the initial confirmation procedures are passed, the 
terminal MPU 30 next prompts the user to enter infor- 
mation for a postage transaction. The user inputs on 
keypad 31 the amount of postage requested and, as a 
further option, the zip code of the sender's location and 
the date. As the information is supplied in sequence, i. 
e. "Amount", "Zip", and "Date", it is displayed on display 
32 for confirmation. Alternatively, the date may be main- 
tained by the terminal MPU 30, and displayed for user 
confirmation. When all the correct information has been 
entered, an edge of an envelope 51 to be mailed, or a 
label or mailing form to be attached to an item to be 
mailed, is inserted in a slot 50 on one side of the postage 
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metering terminal 20. The movement of the label or en- 
velope may be controlled to bring it in registration with 
the print head, as provided in conventional metering ma- 
chines. The user then presses the "Print" key to initiate 
a postage printing transaction. 

Handshake R_ecogn itiqn_ P roc ed ure 

A basic principle of the invention is that the actual 
execution of a value-exchanging transaction is securely 
controlled by a mutual handshake recognition proce- 
dure between a secure microprocessor maintaining the 
card account balance and a secure microprocessor con- 
trolling the value dispensing operation. The card's MPU 
must recognize the value dispensing section's micro- 
processor as valid, and vice versa, in order to execute 
a transaction. The card and the value dispensing section 
therefore can each remain autonomous and protected 
against counterfeiting or fraudulent use even if the se- 
curity of the other has been breached. Since they are 
autonomous, the cards and terminals can be distributed 
widely with a low risk of breach of the system and without 
the need for strict access controls. It thus has significant 
cost and security advantages over conventional card 
automated transaction systems. 

A two-way encrypted handshake embodiment will 
now be described. However, it should be understood 
that the invention is intended to encompass any mutual 
handshake procedure by which the card and dispensing 
microprocessors can recognize the other as authorized 
to execute a requested transaction. In the preferred 
postage terminal embodiment, the handshake proce- 
dure is executed between the card MPU 60 and the 
printer MPU 41 . As illustrated schematically in Fig. 2a, 
when the "Print" key signal is received by the terminal 
MPU 30, the latter opens a channel 61 of communica- 
tion between the card MPU 60 and the printer MPU 41 . 
A "commence" signal and the amount of the requested 
transaction, i.e. postage, is then sent from the terminal 
MPU 30 to the card MPU 60, and a similar "commence" 
signal to the printer MPU 41 , in order to prepare the way 
for the handshake procedure. 

Referring to Fig. 2b, the card MPU 60 initiates the 
handshake procedure upon receipt of the "commence" 
signal by first verifying if the requested amount is avail- 
able for the transaction. As an advantageous feature of 
the invention, the card MPU 60 checks the available bal- 
ance of the card and (if implemented in the card's pro- 
gram) whether the requested transaction is within any 
limits specified by the card issuer. For example, use of 
the card can be limited to a maximum postage amount 
and/or class of postage for each transaction or a cumu- 
lative total of transactions. Upon verifying that the re- 
quested transaction is authorized, the card MPU 60 en- 
crypts an object number N, which may be a randomly 
generated number, with a key number k1 (which may be 
the user's PIN) stored in the secret zone of its memory 
by a first encryption algorithm E1 and sends the result- 



ant word W1 through the handshake channel 61 of ter- 
minal MPU 30 to the printer MPU 41 . 

Upon receipt of the word W1 , the printer MPU 41 
decodes the number using the same number k1 by the 
5 inverse algorithm E1\ The number k1 may be a secret 
key number stored in the printer MPU's memory at the 
time of validation, or in an open system, it may be the 
PIN entered by the user on the terminal, or a combina- 
tion of both. The printer MPU 41 then encrypts the de- 
10 coded number with the number k1 by a second encryp- 
tion algorithm E2 to send a second word W2 back to the 
card MPU 60. 

Upon receipt of the word W2, the card MPU 60 de- 
codes the number again using the key number k1 by the 
is inverse of the second algorithm E2', and compares the 
decoded number with the number it used in the first 
transmission. If the numbers match, the handshake pro- 
cedure has been successfully completed, and the card 
and printer MPUs have recognized each other as au- 
20 thorized to execute the requested transaction. The card 
MPU then debits the postage amount from the card bal- 
ance, and then sends a print command and the postage 
amount to the printer MPU. The printer MPU prints the 
postage on envelope 51, in cooperation with the termi- 
25 nal MPU 30 whic controls the movement of the envelope 
under the print head. The printer MPU then sends an 
"end" signal to the terminal MPU 30, which accordingly 
switches off the handshake channel 61 and resets itself 
to receive the next transaction request. 
30 in the preferred embodiment, the card MPU 60 
stores only the amount of the transaction in its transac- 
tion record, and does not store the new balance. In- 
stead, the balance is recomputed from the original au- 
thorized amount and the stored history of transaction 
35 debits at the time a transaction is requested. This pro- 
cedure substitutes the MPU's computing power to save 
a significant amount of card EPROM memory space. 

The card automated transaction system of the in- 
vention is provided with high security at a plurality of lev- 
40 els, which is particularly advantageous for off-line trans- 
actions involving large numbers of issued cards and 
widely distributed terminal devices. As depicted in Fig. 
3, the encryption algorithms are provided at the first se- 
curity level I by the manufacturer, the secret key, PIN, 
45 and/or Ml N are provided at security level II by the issuer, 
the PIN is used at security level 111 by a particular user, 
and the MIN and/or secret key may be used at security 
level IV to operate a particular machine(s). 

At level I, the print head of the terminal is only op- 
50 erable to dispense value, i.e. print postage, if the en- 
cryption algorithms provided by the manufacturer match 
those of the card, thereby protecting against counterfeit 
cards and terminals. Even if the security or the manu- 
facturer has been penetrated, and the encryption algo- 
55 rithms have been obtained by a counterfeiter, the secret 
key may be assigned at level II by the issuer and used 
in the handshake procedure, thereby deterring the use 
of counterfeit cards and terminals which do not have the 
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secret key. At security level III, a card can only be used 
to operate a terminal if the correct PIN is known, and it 
initial confirmation procedures are passed. At security 
level IV, a card can only be used in a particular terminal 
identified by the correct MIN. 

A related embodiment of the invention is illustrated 
in Fig. 4 which employs a second card having postal rate 
data stored in memory to compute the correct postage 
automatically. A terminal 20, similar to the one previous- 
ly described, includes a second slot 91 for a "rate" card 
90. The terminal has a slot 50 in which a postal label or 
envelope 51 is inserted for imprinting by the printer 40. 
For a parcel 52, the label 51 is printed then affixed to 
the parcel for mailing. A scale 53 may be connected to 
the terminal and MPU 30 to provide the weight of the 
envelope or parcel 52. 

The rate card has a memory device 92, preferably 
an IC ROM, which is accessed and read by the terminal 
MPU 30 through contact portion 93 mated in contact 
with the pinout terminals of the memory device. Switch- 
es 22a and 92a provide signals when the user and rate 
cards have been inserted in the respective slots. Inser- 
tion of the user card initiates operation of the terminal. 
If a rate card is not inserted, the terminal MPU 30 can 
instead request the appropriate postal amount from the 
user by a prompt on the display 32. The terminal MPU 
may also have a mode for reading postal rates from the 
rate card. 

The program operation of the postage metering ter- 
minal 20 is illustrated in block diagram form in Fig. 5. 
Upon insertion of the user card 10 in slot 11, the user 
confirmation procedures previously described are car- 
ried out between the terminal MPU 30 and card MPU 
60. If an unauthorized card or user is detected, the card 
is locked and the terminal operations are terminated. If 
a valid user card is confirmed, the terminal program then 
checks if a rate card 90 is inserted and whether it is valid. 
Validity can be determined by the issue number of the 
card or by an indicated expiration date. If there is no rate 
card, the terminal MPU requests the user to input the 
desired postage and goes to the print key decision block 
97. If a valid rate card is present, the terminal program 
requests the codes for the source and destination of the 
item and the class of mail desired. The program then 
checks for a signal from the scale 53 indicating the 
weight of the item. If no scale is connected or weight 
indicated, the program requests the user to input the in- 
formation. 

The rate card memory contains a current listing of 
the rates for a particular carrier divided according to 
zone classifications, weight, and/or type of mail. For the 
U.S. Postal Service, the postage amount is calculated 
based upon the origin and destination zip codes, class 
of mail, and weight by looking up tables stored in the 
rate card memory 92. If the "Print Key" is depressed, the 
terminal program then sends the "commence" signal to 
the card MPU and printer MPU to execute the hand- 
shake procedure and debiting and printing operations 



as previously described. If an "Auto" mode key of the 
terminal has been pressed or the user elects to continue 
in response to a prompt, the terminal program returns 
to the beginning of the transaction loop indicated at 
5 block 94. The "Auto" mode may be used in conjunction 
with an automatic feeder for postmarking a series of en- 
velopes or labels. The terminal operation is terminated 
if the transaction loop is not continued, or if the hand- 
shake procedure is not completed. 

10 

Postmark Authentication 

In accordance with the principles of the invention as 
applied to postage metering terminals, a postmark au- 
thenticating procedure will now be described. The pro- 
cedure is provided as a security feature to deter the 
printing of a counterfeit postmark by a printer, copier, or 
other facsimile device which is not authorized by the is- 
suer of the above-described card/terminal system. Con- 
ventional high resolution printers and graphics capabil- 
ities of personal computers present an increasing risk 
that value-confirming marks, such as a postmark, ticket, 
coupon, etc. can be simulated by a counterfeiter. In the 
invention, an underlying and/or invisible machine read- 
able code is printed first and then overprinted with the 
human readable postmark. The code can be uniquely 
selected by the issuer of the postage card/terminal sys- 
tem, and periodically changed to eliminate any benefit 
from gaining unauthorized access to the code. Further, 
the code can be printed with ink that is invisible in the 
normal light spectrum, so that it is readable only with a 
magnetic, infrared, or ultraviolet reader. 

Referring to an example shown in Figs. 6a and 6b, 
a conventional imprinted postmark has a logo or graphic 
design 70, text 71 indicating that the postage is issued 
through the U.S. Postal Service, numbers 72 indicating 
the postage amount, as well as the date 73, city 74, state 
75, and zip code 76 of origin, and the identification 
number 77 of the postage meter from which the post- 
mark was printed. In the invention, coded marks 78 are 
printed beneath the visible postmark in a predetermined 
code field 79 in invisible, machine readable ink. The al- 
gorithm for the coded marks is selected by the issuer, 
for example, representing the binary equivalent of the 
postage amount, i.e. "90" cents in Fig. 6a, shown in bi- 
nary form in Fig. 6b. The coded marks can represent 
any other element of the postmark, such as the meter 
identification number or zip code. Alternatively, a bar 
code 83 can be printed with a postmark information sec- 
tion 83a and a check code section 83b, which is encrypt- 
ed based upon one of the postmark elements. The post- 
mark element and/or the encryption algorithm can be 
uniquely selected by the issuer. Even if the coded marks 
are printed in visible form, the encryption of a variable 
postmark element, such as the sender's zip code, date, 
or postage amount, will make copying difficult. 

The printing of the postmark and authentication 
code can readily be incorporated in the card/terminal 
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system illustrated in Fig. 1 . The printer 42 is provided 
with a memory 43 to which data representing the visible 
information of the postmark and the computed binary or 
other selected check code or converted bar code is 
transmitted from the terminal MPU 30 and stored. The 
fixed graphics of the postmark may be stored in a mem- 
ory associated with the MPU 30, which is preferable if 
the same terminal has the capability of printing a variety 
of postmark graphics for different carriers and/or class- 
es of service, or it may be permanently stored in a sec- 
tion of the printer memory 43. The fixed graphics may 
instead be stored in the card's memory and loaded by 
terminal MPU 30 in the printer memory 43 for a request- 
ed transaction. Alternatively, the fixed graphics may be 
provided on a platen which operates with the print head 
if only one type of postmark is to be printed. 

In the preferred form, the print head 42 is an impact 
printer which has two ink ribbons 42a and 42b, one of 
invisible, machine readable ink and the other of visible 
ink. When the handshake procedure has been complet- 
ed, and the print command issued by the card MPU 60, 
the printer MPU 41 accesses the data stored in the 
memory 43 and, in a first pass, prints the coded marks 
in invisible ink then, in a second pass, prints the visible 
postmark information. 

As indicated in fig. 6a, when mail or other articles 
are subsequently presented to a central mail routing and 
distribution system, such as that of the U.S. Postal Serv- 
ice or a private carrier, the postmark may be passed un- 
der a detector 80 which has a visible light spectrum 
reader 81 and a code reader 82, such as a magnetic, 
infrared, or ultraviolet reader, or a bar code reader 83 
for bar code marks. If the code marks are absent or if 
the check code does not correspond to the element of 
the postmark selected for coding, an audit record can 
be made of the non-conformity, for example, by record- 
ing the meter identification number, date, and zip code 
of origin. An investigation of the source of the unauthor- 
ized postage can then be initiated if numerous articles 
are found bearing unauthorized postmarks. The post- 
mark authentication marks of the invention thus provide 
an additional level of security against counterfeiting 
which is not offered in conventional postal metering ma- 
chines. 

Postal Waybill Terminal 

A further embodiment of the invention is illustrated 
in Fig. 7 which is adapted for printing standard form way- 
bills for mailing articles using a wide range of postal or 
private carrier services. A terminal 20' includes a slot 1 1 
for a user card 10, a terminal MPU 30, a printer 40 and 
printer MPU 41, a keyboard 31', and a display 32', as 
previously described with respect to Fig. 1 . The terminal 
also includes a second slot 91 for a "rate" card 90 and 
a third slot 101 for a "special services" card 100. The 
terminal has a slot 50 in which a standard waybill form 
51 1 is inserted for imprinting by the printer 40. The way- 



bill 51' is then affixed to an envelope or parcel 52 for 
mailing. A scale 53 can be connected to the terminal 
and MPU 30 to automatically provide the weight of the 
parcel 52. 

5 The rate and special services cards have memory 
devices 92 and 102, respectively, which are preferably 
IC ROMs that are accessed and read by the terminal 
MPU 30 through contact portions 93 and 103, respec- 
tively, mated in contact with the pinout terminals of the 
memory devices. Switches 22a, 92a, and 1 02a provide 
detection signals when the cards have been inserted in 
the respective slots. A display 32' provides a full field 
corresponding to the appearance of the waybill form, 
and the keyboard 31 ' includes a full set of alphanumeric 
characters and command keys. 

The rate card memory contains a current listing of 
the rates for a particular carrier. For example, if the car- 
rier is the U.S. Postal Services, the Post Office rates are 
listed according to zone classifications, weight, and 
class of mail. The special services card memory con- 
tains a program for filling out a standard waybill form in 
accordance with the information required by and with 
indicia identifying the mailing services of a particular car- 
rier. For example, if the carrier is the U.S. Postal Service, 
the special services card can provide the programs for 
printing waybills for Express Mail, Certified Mail, Regis- 
tered Mail, Insured Mail, etc. 

The program operation of the postal waybill terminal 
20' is illustrated in block diagram form in Fig. 8, and a 
sample waybill form is shown in Fig. 9. Upon insertion 
of the user card 1 0 in slot 1 1 , the user confirmation pro- 
cedures previously described are carried out between 
the terminal MPU 30 and card MPU 60. If an unauthor- 
ized card or user is detected, the card is locked and the 
terminal operations are terminated. With a valid user 
card, the terminal program then checks if a rate card 90 
and/or a special services card 100 is inserted and 
whether each is valid. Validity can be determined by the 
issue number of the card or by an indicated expiration 
date. If there is no rate card or special services card, the 
terminal MPU requests the user to input the desired 
postage and goes to the print key decision block 121. 
The terminal is then used to print a postmark or postage 
label as described previously. If a valid services card is 
present, the terminal program displays a menu of mail- 
ing or carrier services from the services card and re- 
quests the user to select a service. 

The terminal MPU 30 loads the selected service 
program from the service card and executes it, as indi- 
cated at block 118. For typical carrier services, the serv- 
ice program displays a standard carrier waybill form 
used by the selected carrier. For example, if the U.S. 
Postal Service Express Mail service is selected, the 
form shown in Fig. 9 is displayed. The form includes a 
carrier identification field 130, service class field 131, 
and pointers on the display for inserting information in 
fields 132-137 and 140-146. A waybill identification 
number in bar code 1 38 and characters 1 39 is selected 
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for the transaction and displayed. Preferably, the serv- 
ices card has a list of reserved waybill numbers which 
are sequentially incremented for each completed trans- 
action. If a transaction is not completed, the number is 
saved for the next transaction. As described previously, 
the bar code can include a section which is an encryp- 
tion of one element of the waybill information, so that 
the authenticity of the form can be verified by machine 
processing of the waybill. 

The services program as executed by the terminal 
MPU 30 next uses cursor prompts to request the user 
to provide information for certain fields, such as the zip 
codes or origin and destination 132 and 133, and the 
addresses of the sender and recipient 140 and 141 . As 
the user supplies each item of information and presses 
an "Enter" key, the program causes the cursor to shift 
to the next field of information to be supplied, as indicat- 
ed by the arrows C in Fig. 9. The date and time fields 
1 34 and 1 35 may be requested from the user or supplied 
from the terminal if it is provided with a clock and calen- 
dar. The weight 1 36 may be provided from the output of 
the scale 53, if connected to the terminal, or supplied by 
the user. The meter identification number (MIN) is sup- 
plied by the terminal for field 1 37. 

Based upon the origin and destination zip codes 
and weight, the postal amount, other service charges, 
and total amount 144-146 are calculated and displayed 
under program control using the rate card if appropriate. 
The total transaction amount is saved. If the "Print" key 
is depressed, the terminal program then sends the 
"commence" signal to the card MPU and printer MPU to 
execute the handshake procedure and debiting and 
printing operations as previously described. If an "Auto" 
mode key of the terminal is depressed or the user elects 
to continue in response to a prompt, the terminal pro- 
gram returns to the beginning of the transaction loop in- 
dicated at block 1 1 3. The terminal operation is terminat- 
ed if the transaction loop is not continued, or if the hand- 
shake procedure is not completed. 

The terminal can be used to program and print the 
waybills of other selected carriers or services by inser- 
tion of the proper user, rate and/or service cards. For 
convenience of the automated terminal system, it is de- 
sirable if all postal and waybill forms can be standard- 
ized to one or a limited number of form blanks. 

Refilling Terminal 

Another embodiment of the invention is the provi- 
sion of a user card refilling terminal which may be main- 
tained at any desired postal retail or distribution location 
for the convenience of the issuer of the cards and users. 
A new amount can be "filled", i.e. credited to an author- 
ized balance maintained in the user card, and a master 
refilling card having a greater amount for distribution is 
correspondingly debited. In accordance with the princi- 
ples of the invention, the secure handshake recognition 
procedure is executed before the transaction is author- 



ized. The refilling terminal can also be used to validate 
new cards to be issued. 

An exemplary embodiment of the refilling terminal 
is shown in Fig. 10, having a first slot 161 for a master 
s refilling card 1 60, a second slot 171 for a supervisor card 
170, a third slot 174 for a user card 10, a terminal mi- 
croprocessor 30", a keyboard 31", and a display 32". 
Each card is of the type described previously, with se- 
cure microprocessors (MPU) 162, 172, and 60, respec- 
10 tively, in contact with respective terminal contacts 163, 
173, and 175. Switches 162a, 172a, and 176 provide 
detection signals when the cards are inserted in their 
respective slots. The operation of terminal MPU 30" is 
enabled after insertion of a master card 160 and a su- 
15 pervisor card 170. 

A master refilling card is initially purchased from a 
central issuer, such as the U.S. Postal Service, an au- 
thorized distributor for the central issuer, oraprivate car- 
rier company. It is generally intended to be purchased 
20 by a local refilling entity which provides service to indi- 
vidual users, such as a bank branch, retail store, or cor- 
porate department. In the preferred embodiment, it is 
manufactured in a fixed denomination and remains 
locked until it is activated by a supervisor card of the 
25 central issuer. The encryption algorithms used for the 
handshake procedure are already written into its MPU 
firmware, and is enabled to execute the handshake pro- 
cedure when the secret key number is installed by a su- 
pervisor card during the activation procedure. Once ac- 
30 tivated, the master card balance is debited for refilling 
transactions until it is used up. A history of all debiting 
transactions is maintained in the master card. 

A supervisor card is provided by the central issuer 
in the custody of an officer or manager of the local re- 
35 filling entity and a supervisor PIN is assigned. The su- 
pervisor card is used to unlock all master cards sold to 
the refilling entity and to maintain a record of the serial 
numbers of the master cards for subsequent card con- 
firmation procedures. It is used to authorize crediting 
40 transactions to user cards, and maintains a transaction 
record of all refilling operations and the identity of the 
recipient user cards. The supervisor card is manufac- 
tured with the handshake encryption algorithms in 
firmware, and may be provided by the central issuer with 
45 a secret key number to be installed in the master and 
user cards. The master and supervisor cards together 
allow user cards to be conveniently refilled at widely dis- 
tributed local entities without the need for on-line confir- 
mation of each refilling transaction from the central is- 
50 suer. Alternatively, the user card can be refilled by the 
master card alone, with the handshake procedure exe- 
cuted between the user card's MPU and the master 
card's MPU. However, the use of a controlling supervi- 
sor card is preferred as an additional level o security to 
55 deter counterfeiting or fraudulent use of the higher value 
master cards. 

The operation of the refilling terminal will now be 
described for the preferred three-card embodiment with 
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reference to the block diagram of Fig. 1 1 . Upon initiation 
of the terminal program, the master card is checked at 
block 180 to determine if it is already activated. If not, 
the terminal follows an activation procedure at block 181 
of confirming the supervisor PIN, checking the master 
card serial number, installing a secret key number in the 
master card, executing the handshake procedure, then 
unlocking the master card's balance, and recording the 
master card's serial number, balance, date, and other 
transaction information. 

If the master card has already been activated, the 
supervisor card checks the master card serial number 
against its record of authorized master cards. If the mas- 
ter card is unauthorized, the terminal program goes to 
an end procedure at block 1 97. With an authorized mas- 
ter card, the terminal program checks If the user card 
inserted in the terminal is new or to be refilled. For a new 
user card, the refilling terminal executes at blocks 
1 90-1 93 a validation procedure which includes checking 
the designated card serial number with the number em- 
bedded in its memory, recording the user's identification 
information, and assigning a user PIN. At block 192, the 
terminal prompts the operator for any limitations on the 
amounts or type of transactions the card can be used 
for, the identification numbers of the terminals to which 
the card is restricted, or an expiration date if required by 
the issuer. The validation procedure is completed by in- 
stalling the secret key number and sealing the secret 
memory zone. 

If the user card is to be refilled, the user PIN is con- 
firmed, and then the card is checked for any balance to 
be credited toward the new amount or to the user's ac- 
count. The old memory section is then locked from fur- 
ther transactions, and can only be used for reading out 
a transaction history. Upon a request for a new amount, 
either for a new card that has been validated or for a 
card to be refilled, the terminal MPU 30" opens a hand- 
shake channel, and the handshake procedure previous- 
ly described is executed between the master MPU 162 
and the supervisor MPU 1 72. When the handshake pro- 
cedure is completed, the master balance is debited and 
the supervisor card proceeds to open a new transaction 
memory section in the user card into which the new bal- 
ance is written. The program then provides at block 1 97 
an end selection of further operations which may be car- 
ried out on the refilling terminal. For example, another 
refilling transaction may be processed, the supervisor 
card record may be updated, the newly validated user 
or master card may be embossed with a serial number 
or account number if the terminal is connected to an em- 
bossing machine, or operations may be terminated. 

The described refilling system is protected at sev- 
eral levels of security. First, a supervisor card is re- 
quired, and the user card must be validated by the user 
PIN. The master card must be validated by the supervi- 
sor card and must execute the handshake procedure 
before the user card is credited with a new amount. The 
card/terminal system has the primary advantage that 



the debiting of the card balance is executed in the same 
time frame that the value dispensing operation is carried 
out, and the exchange can only be carried out for each 
transaction if the mutual handshake recognition proce- 

s dure is executed between the secure microprocessors 
controlling each part. Also, the central issuer purchases 
the card/terminal system from the manufacturer with a 
given set of encryption algorithms, and then selects a 
unique secret key not known to the manufacturer. Thus, 

10 penetration of the manufacturer's security will not com- 
promise the security of the issuer's system. By issuing 
cards with defined expiration dates or series numbers 
and changing the secret keys periodically, an issuer sys- 
tem can be made even more impenetrable to counter- 

15 feiters. 

The user's card is not merely a passive record of an 
account number and balance, but rather operates to af- 
firmatively protect against unauthorized use of the card, 
for example, if a succession of incorrect PIN entries is 
20 made, if the card is used beyond its expiration date or 
in an unauthorized machine, or if a requested transac- 
tion is in excess of predetermined limits. Similarly, the 
value dispensing part of the terminal is protected against 
tampering by the physical bonding of the printer micro- 
ns processor to the print head. 

Moreover, since the postal and refilling transactions 
are executed with cards issued by a central issuer and 
take place only within the issuer's system, they are pro- 
tected from counterfeit cards or cards issued by another 
30 system. One issuer's system thus remains closed to all 
other issuers systems, and several systems can use the 
same terminals without interference from the other. For 
example, the U.S. Postal Service and several private 
carriers can each constitute a separate issuer system 
35 issuing its own cards. A user can purchase a card from 
each system and use the proper card in any terminal 
maintained at a local entity (branch post office, bank 
branch, local retail store) to generate authorized post- 
age or a waybill- for use in the corresponding system. 
40 Thus, users will have the benefit of secure and conven- 
ient access to a wide range of postal and carrier servic- 
es. 

The microprocessor cards (user, master, and su- 
pervisor), memory cards (rate and special services), 

45 and terminals (metering, waybill printing, and refilling) 
comprise an integrated postal transaction system which 
provides a greatly improved level of access, conven- 
ience, and security, compared to conventional postal 
machines. The overall system is illustrated in Fig, 12. It 

50 allows widely issued user cards to be used in widely dis- 
tributed postage metering and waybill printing terminals, 
with the appropriate rate and/or services cards, to ac- 
cess a plurality of postal and carrier services. The refill- 
ing terminals allows a central issuer to distribute postal 

55 monetary value to users at widely distributed locations. 
Strict physical access controls are not required, the 
need to limit the postal amounts and services obtainable 
by issued cards is reduced, in-person purchase trans- 
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actions are avoided, and on-line confirmation by a cen- 
tral account office is obviated. The cards and terminals 
are configured to be autonomous, yet mutual recogni- 
tion and confirmation of validity and transaction 
amounts are required, thereby providing a high level of 
security for the system. 

The invention is not limited to the described auto- 
mated postal terminals. The principles of the invention 
can be adapted to any other value exchanging transac- 
tion where it is desired to use an account card in an off- 
line automated terminal system. Thus, the described 
smartcards and value dispensing terminals can also be 
used for dispensing cash, printing tickets, issuing cou- 
pons, etc., and the user can possess a variety of cards 
each issued by a central issuer for the convenient pur- 
chase of different articles of value, Also, by implement- 
ing smartcard and terminal MPU programs which check 
for authorized machine identification numbers and card 
serial numbers, or execute the handshake procedure 
with different algorithms and/or secret keys, an issuer's 
system can be configured so that the issuer's cards and 
terminals may be made open or restricted to ce rtain f am- 
iiies, series or locations. 

Other features are useful adjuncts to the central 
concepts described above. For example, a transaction 
history printer may be provided from which a user can 
print a record of transactions stored in the smartcard up- 
on entry of the correct PIN. The various cards can be 
provided with notches on a border or coded key ele- 
ments to prevent insertion of the wrong card in an incor- 
rect terminal slot or in a terminal of another issuer sys- 
tem. Also, the invention can be adapted for on-line trans- 
action systems. For example, the terminal MPU can be 
connected by a telephone line or local network to a cen- 
tral processing office for approval of a transaction prior 
to execution of the transaction. On-line confirmation 
may be desired for initialization and refilling transactions 
which are less frequent and of higher value than pur- 
chase transactions. As another security feature, the 
card or series of cards may be issued with encryption 
algorithms and/or secret key numbers which are 
changed periodically, and the encryption algorithms and 
secret keys corresponding to cards presented for a 
transaction can be loaded in the terminal at the time the 
terminal MPU establishes an on-line connection to the 
central office. 

As described, in the interactive card/terminal sys- 
tem the card and the terminal each have a security fea- 
ture which prevents the completion of a requested trans- 
action unless a secure handshake recognition proce- 
dure is mutually executed between the card and the ter- 
minal such that they each recognize the other as author- 
ized to execute a transaction. In particular, it is desired 
that the card and the terminal cooperate together to ex- 
ecute a simultaneous dispensing of value by the termi- 
nal and debiting of an authorized balance by the card. 

A further object is to provide a new generation of 
card automated postal terminals which have greater 



flexibility in the range of postal products and services 
offered, wherein the terminals are individually secure 
and can be accessed in relatively unrestricted areas, 
and the cards can be refilled at any desired location 
s through secure refilling terminals validated by the issuer. 
As described, the card automated transaction sys- 
tem employs a card having a secure, resident micro- 
processor which operates to confirm that a requested 
transaction is authorized and to then initiate an interac- 
ts tive handshake recognition procedure with a resident 
microprocessor in the value dispensing section of an au- 
tomated terminal. Upon successful completion of the 
handshake procedure, the card microprocessor and the 
dispensing section microprocessor simultaneously ac- 
15 tuate the dispensing of the requested article or item of 
value and the debiting of an authorized balance from the 
card. 

A particular embodiment employs a mutual hand- 
shake recognition procedure executed as follows: (1) 
upon confirming that a requested transaction is author- 
ized, the card passes to the terminal a word comprising 
a randomly generated or other object number encrypted 
by a first resident algorithm and a key number stored in 
the card; (2) the terminal decodes the number using a 
corresponding inverse of the first algorithm and the key 
number; (3) the terminal sends back to the card a sec- 
ond word comprising the decoded random number en- 
crypted by a second resident algorithm and the key 
number; (4) the card decodes the second word using a 
corresponding inverse of the second algorithm and the 
key number and compares the decoded number to the 
one originally sent; (5) if the numbers match, the card 
microprocessor debits its authorized balance for the in- 
dicated amount of the transaction and sends an actua- 
tion signal to the terminal to proceed with the transac- 
tion; and (6) upon receipt of the actuation signal, the dis- 
pensing microprocessor actuates the dispensing sec- 
tion to complete the transaction. The transmitted actu- 
ation signal may also be encrypted and decoded by the 
above algorithms or a similar method. 

The above-described interactive card automated 
transaction system may be applied to postage metering 
machines. In one embodiment, a postage metering ter- 
minal has a slot for receiving a microprocessor card is- 
sued with an authorized balance, a print head with a se- 
cure microprocessor which interacts with the card mi- 
croprocessor, a keypad, a display, and an operations mi- 
croprocessor which accepts a keyed input of the post- 
age amount requested, displays the keyed input, que- 
ries the card to authorize and initiate the postage print- 
ing transaction, and then resets the machine for the next 
transaction or executes a series of transactions in a re- 
peat mode. 

In a related embodiment, a postage metering termi- 
nal has a first slot for receiving a user microprocessor 
card, a second slot for receiving a postal rate card, a 
print head with a secure microprocessor, a keypad and 
other means for entering source and destination (postal 
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zip) codes, means for entering the weight and postal 
class of the article to be mailed, and an operations mi- 
croprocessor having a-program for calculating the cor- 
rect postage based upon the listings of the rate card and 
the keyed-in information. 

The card automated postal transaction system can 
be readily applied not only to the postal products and 
services of the U.S. Postal Service, but also to private 
carriers and parcel delivery companies. In a further em- 
bodiment, a postal waybill terminal has a third slot for 
receiving a special services card which has stored data 
from which the terminal can print postal and delivery 
services information on standard form blanks. For ex- 
ample, the special services card can be used to print 
Post Office forms, such as Certified Mail or Registered 
Mail, or the waybills of private carrier companies. The 
terminal is also provided with a full field display of the 
waybill form, prompts the user for information by pro- 
grammed cursor movements, and has command keys 
for inputting sender and addressee information, rate or 
service class, waybill number, carrier information, etc. 

As subsidiary features, the microprocessor cards 
can be configured to provide different types of access 
to the terminals as desired, for example, limited num- 
bers or types of users in limited numbers or types of ma- 
chines, unlimited users in limited machines, limited us- 
ers in unlimited machines, or unlimited users in unlimit- 
ed machines. The different types of access can be im- 
plemented by storing key numbers in the card for iden- 
tifying authorized users and/or machines, and/or key 
numbers in the terminal operations microprocessor for 
identifying authorized users. The user cards can also be 
configured at the time of issuance for limits to the 
amounts and types of individual transactions, and tem- 
porary or permanent locking upon detection of an unau- 
thorized user or card. Another system feature is the stor- 
ing of a history of transactions executed by the card, and 
the recomputing of the remaining balance upon each 
transaction request, in order to save card memory 
space. A separate transaction printer may be used to 
obtain a printout of the card's transaction history. 

The postage metering terminals according to the in- 
vention are also provided with means for allowing a post 
office or carrier to authenticate the postage marks or 
waybills that are printed. In one embodiment, the termi- 
nal printer prints within or under the postmark a coded 
number or sequence of marks corresponding to an ele- 
ment of the postmark, such as the amount of postage, 
the terminal identification number, and/or the sender's 
zip code. The marks may be disguised or made invisible 
by printing with a magnetically or optically readable ink 
to deter tampering or unauthorized simulation. They 
may then be machine-read by the post office or private 
carrier company to determine whether the printed post- 
mark was printed by an authorized printer, and at the 
same time provide an audit trail to the sender. 

In accordance with a further application of the sys- 
tem, an integrated system of microprocessor cards and 



terminals provides transaction facilities which permit 
widespread use and convenient access to users. The 
authorized amount of the user card may be initially val- 
idated or refilled from a master refilling card, which has 
5 a larger authorized amount, preferably in conjunction 
with a supervisor card issued under strict distribution 
control. A refilling terminal is provided with three inser- 
tion slots for the three cards, and has an operations pro- 
gram to check the identity of the master refilling card 
and the user card to determine if they are valid for use 
in the refilling terminal. Upon clearance, the secure 
handshake recognition procedure must be successfully 
executed between the microprocessors of the supervi- 
sor and master cards in order to permit a debit to the 
master card of the refill amount and a credit to the user 
card. If the user card is a new card, a validation proce- 
dure and the selection and storing of a user PIN are ex- 
ecuted. 

The card automated transaction system has broad 
applicability to many other types of purchase or credit 
transactions besides postal services and products. For 
example, it can also be used for credit card transactions, 
inventory control, bills of lading, automated cash ma- 
chines, or virtually any other type of transaction in which 
a user account must be securely debited through an au- 
tomated terminal in exchange for an article or item of 
value. The system is especially advantageous in off-line 
transactions in which distributed terminals not under 
strict access controls are used. 

Based upon the foregoing disclosure, many other 
peripheral features and modifications and variations on 
the principles of the invention will become apparent to 
persons familiar with automated terminals and smart- 
card systems. It is intended that the embodiments and 
features described herein and all further features, mod- 
ifications, and variations be included within the allowed 
scope of the invention, as it is defined in the appended 
claims. 



Claims 

1. A modular printer for a transaction terminal (20) 
which has an input section (31 ) for inputting a re- 
quest for printing a value indicia and an operating 
section (30) for enabling the terminal to execute the 
printing of the requested value indicia on an article, 
characterized in that: 

the modular printer (40) includes a printhead 
and a dedicated microprocessor (41) for con- 
trolling the printhead physically permanently 
bonded together such that the printhead micro- 
processor (41 ) cannot be physically tampered 
with without disabling the printhead; 
the modular printer is removably mounted in the 
terminal (20) ; and 

the modular printer includes an interface cou- 
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pled to the printhead microprocessor (41) for 
establishing an operative data path connection 
to the terminal operating section (30) to receive 
a print instruction signal from the terminal (20). 

2. A modular printer according to Claim 1 , further char- 
acterized in that a first ink supply is provided for sup- 
plying a visible human-readable ink to the print- 
head, a second ink supply is provided for supplying 
an invisible, machine-readable ink to the printhead, 
and the printhead microprocessor (41 ) Includes a 
stored program for controlling the printhead, upon 
receiving a print instruction signal from the terminal, 
in order to print a visible indicia with visible ink from 
the first ink supply, to derive an authentication code 
which uniquely corresponds to the visible indicia, 
and to print the authentication code as an invisible 
indicia with invisible ink from the second ink supply, 
whereby the printed indicia can be subsequently 
verified as authentic by machine reading of the in- 
visible authentication code and comparing it to the 
visible indicia. 

3. A modular printer according to Claim 2 wherein the 
printhead microprocessor (41 ) includes a stored se- 
curity program for validating whether the print in- 
struction signal received from the terminal (20) is 
valid and for enabling the printhead to print only if 
the print instruction signal has been validated. 

4. A modular printer according to any one of Claims 2 
and 3, wherein the 

visible indicia to be printed is a postmark in- 
cluding a postage amount, and the printhead micro- 
processor (41) is operable to execute the stored 
program to generate an authentication code 
uniquely corresponding to the postage amount to 
be printed. 

5. A modular printer according to any one of Claims 2 
and 3, wherein the visible indicia to be printed is a 
postmark including a postage amount, and the 
printhead microprocessor (41) is operable to exe- 
cute the stored program to encrypt the postage 
amount as a bar code (83a, 83b) and to print the 
bar code as the invisible authentication code with 
the postmark. 

6. A transaction terminal (20) comprising: 

an input section (31) for inputting a request for 
printing a value indicia; 

an operating section (30) for enabling the ter- 
minal to execute the printing of the requested 
value indicia on an article; and characterized by 
a modular printer removably mounted in the ter- 
minal (20) and including a printhead and a ded- 
icated microprocessor (41) for controlling the 



printhead physically permanently bonded to- 
gether such that the printhead microprocessor 
(41 ) cannot be physically tampered with without 
disabling the printhead, and an interface cou- 
5 pled to the printhead microprocessor (41 ) for 

establishing an operative data path connection 
to the terminal operating section (30) to receive 
a print instruction signal therefrom. 

10 7. A transaction terminal according to Claim 6, where- 
in a first ink supply is provided for supplying a visible 
human-readable ink to the printhead, a second ink 
supply is provided for supplying an invisible, ma- 
chine-readable ink to the printhead, and the print- 
's head microprocessor (41) includes a stored pro- 
gram for controlling the printhead, upon receiving a 
print instruction signal from the terminal, in order to 
print a visible indicia with visible ink from the first ink 
supply, to derive an authentication code which 
20 uniquely corresponds to the visible indicia, and to 
print the authentication code as an invisible indicia 
with invisible ink from the second ink supply, where- 
by the printed indicia can be subsequently verified 
as authentic by machine reading of the invisible au- 
25 thentication code and comparing it to the visible in- 
dicia. 

8. A transaction terminal according to Claim 7 wherein 
the printhead microprocessor (41 ) includes a stored 
30 security program for validating whether the print in- 
struction signal received from the terminal (20) is 
valid and for enabling the printhead to print only if 
the print instruction signal has been validated. 

35 9. A transaction terminal according to any one of 
Claims 7 and 8, wherein the visible indicia to be 
printed is a postmark including a postage amount, 
and the printhead microprocessor (41) is operable 
to execute the stored program to generate an au- 
40 thentication code uniquely corresponding to the 
postage amount to be printed. 

10. A transaction terminal according to any one of 
Claims 7 to 9, wherein the visible indicia to be print- 

45 ed is a postmark including a postage amount, and 
the printhead microprocessor (41 ) is operable to ex- 
ecute the stored program to encrypt the postage 
amount as a bar code (83a, 83b) and to print the 
bar code as the invisible authentication code with 
so the postmark. 

11. A transaction terminal (20) according to any one of 
Claims 6 to 1 0 comprising means for receiving a us- 
er card (1 0) having a memory and a microprocessor 

5S (60) for executing secure transactions in which an 
article or item of value is dispensed and an account 
balance is debited in said memory. 
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12. Use of a modular printer as claimed in any one of 
Claims 1 to 5 in a transaction terminal. 



Patentanspruche 5 

1. Modularer Drucker fur eine Transaktionsstation 
(20), die einen Eingabeabschnitt (31) zur Eingabe 
einer Aufforderung zum Drucken eines Wertzei- 
chens und einen Betriebsabschnitt (30), um die Sta- 10 
tion in die Lage zu versetzen, das Drucken des an- 
geforderten Wertzeichens auf einen Artikel auszu- 
fuhren, aufweist, dadurch gekennzeichnet, daB: 

der modulare Drucker (40) einen Druckkopf 1$ 
und einen speziell zugewiesenen Mikroprozes- 
sor (41) zum Steuern des Druckkopfs aufweist, 
die physikalisch permanent verbunden sind, so 
daB an dem Druckkopf-Mikroprozessor (41) 
physikalisch nicht herumhantiert werden kann, 20 
ohne den Druckkopf zu deaktivieren; 

der modulare Drucker in der Station (20) ent- 
fembar angebracht ist; und 

25 

der modulare Drucker eine mit dem Druckkopf- 
Mikroprozessor (41) gekoppelte Schnittstelle 
umfaBt, um eine operative Datenpfadverbin- 
dung zu dem Stations-Betriebsabschnitt (30) 
herzustellen, um ein Druckbefehlssignal von 30 
der Station (20) zu empfangen. 

2. Modularer Drucker nach Anspruch 1 , dadurch ge- 
kennzeichnet, daB ein erster Farbvorrat zum Zuf uh- 
ren einer sichtbaren vom Menschen lesbaren Farbe 35 
an den Druckkopf vorgesehen ist, ein zweiter Farb- 
vorrat zum Zufuhren einer unsichtbaren von einer 
Maschine lesbaren Farbe an den Druckkopf vorge- 
sehen ist, und der Druckkopf-Mikroprozessor (41) 

ein gespeichertes Programm zum Steuern des 40 
Druckkopfs auf einen Empfang eines Druckbefehls- 
signals von der Station hin umfaBt, um ein sichtba- 
res Zeichen mit der sichtbaren Farbe von dem er- 
sten Farbvorrat zu drucken, um einen Autentifizie- 
rungscode abzuleiten, der in einzigartiger Weise 45 
dem sichtbaren Zeichen entspricht, und um den 
Autentifizierungscode als ein unsichtbares Zeichen 
mit unsichtbarer Farbe von dem zweiten Farbvorrat 
zu drucken, wodurch das gedruckte Zeichen da- 
nach durch einen Maschinen-Lesevorgang des un- so 
sichtbaren Autentifizierungscodes und durch ein 
Vergleichen dieses Codes mit dem sichtbaren Zei- 
chen als authentisch verifiziert werden kann. 

3. Modularer Drucker nach Anspruch 2, dadurch ge- 55 
kennzetchnet, daB der Druckkopf-Mikroprozessor 
(41) ein gespeichertes Sicherheitsprogramm um- 
faBt, um zu prufen, ob das von der Station (20) emp- 



fangene Druckbefehlssignal gultig ist, und um den 
Druckkopf in die Lage zu versetzen, nur dann zu 
drucken, wenn das Druckbefehlssignal fur gultig 
befunden worden ist. 

4. Modularer Drucker nach einem der Anspruche 2 
und 3, dadurch gekennzeichnet, daB das zu druk- 
kende sichtbare Zeichen ein Postzeichen mit einem 
Portobetrag ist und der Druckkopf-Mikroprozessor 
(41 ) betreibbar ist, um das gespeicherte Programm 
auszufOhren, um einen Autentifizierungscode zu 
erzeugen, der in einzigartiger Weise dem zu druk- 
kenden Portobetrag entspricht. 

5. Modularer Drucker nach einem der Anspruche 2 
und 3, dadurch gekennzeichnet, daB das zu druk- 
kende sichtbare Zeichen ein Postzeichen mit einem 
Portobetrag ist und der Druckkopf-Mikroprozessor 
(41 ) betreibbar ist, um das gespeicherte Programm 
auszufuhren, um den Portobetrag als einen Strich- 
code (83a, 83b) zu verschlusseln und den Strich- 
code als den unsichtbaren Autentifizierungscode 
mit dem Postzeichen zu drucken. 

6. Transaktionsstation (20), umfassend: 

einen Eingabeabschnitt (31) zum Eingeben ei- 
ner Aufforderung zum Drucken eines Wertzei- 
chens; 

einen Betriebsabschnitt (30), um die Station in 
die Lage zu versetzen, das Drucken des ange- 
forderten Wertzeichens auf einen Artikel aus- 
zufuhren; und gekennzeichnet durch 

einen modularen Drucker, der entfernbar in der 
Station (20) angebracht ist und der einen 
Druckkopf und einen speziell zugewiesenen 
Mikroprozessor (41 ) zum Steuern des Druck- 
kopfs, die physikalisch permanent zusammen- 
gebunden sind, so daB an dem Druckkopf-Mi- 
kroprozessor (41) ohne Deaktivieren des 
Druckkopfs physikalisch nicht herumhantiert 
werden kann, und eine mit dem Druckkopf-Mi- 
kroprozessor (41 ) gekoppelte Schnittstelle zum 
Herstellen einer operativen Datenpfadverbin- 
dung zu dem Stations-Betriebsabschnitt (30) 
zum Empfangen eines Druckbefehlssignals 
davon umfaBt. 

7. Transaktionsstation nach Anspruch 6, dadurch ge- 
kennzeichnet, daB ein erster Farbvorrat zum Zufuh- 
ren einer sichtbaren vom Menschen lesbaren Farbe 
an den Druckkopf vorgesehen ist, ein zweiter Farb- 
vorrat zum Zufuhren einer unsichtbaren von einer 
Maschine lesbaren Farbe an den Druckkopf vorge- 
sehen ist und der Druckkopf-Mikroprozessor (41) 
ein gespeichertes Programm zum Steuern des 
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Druckkopfs auf einen Empfang eines Druckbefehls- 
signals von der Station hin umfaBt, urn ein sichtba- 
res Zeichen mit sichtbarer Farbe von dem ersten 
Farbvorrat zu drucken, um einen Autentifizierungs- 
code abzufeiten, der in einzigartiger Weise dem 
sichtbaren Zeichen entspricht, und um den Auten- 
tifizierungscode als ein unsichtbares Zeichen mit 
unsichtbarer Farbe von dem zweiten Farbvorrat zu 
drucken, wodurch das gedruckte Zeichen durch ei- 
nen Maschinen-Lesevorgang des unsichtbaren 
Autentifizierungscodes und durch Vergleichen die- 
ses Codes mit dem sichtbaren Zeichen danach als 
authentisch verifiziert werden kann. 

8. Transaktionsstation nach Anspruch 7, dadurch ge- 
kennzeichnet, daB der Druckkopf-Mikroprozessor 
(41) ein gespeichertes Sicherheitsprogramm um- 
faBt, um zu prufen, ob das von der Station (20) emp- 
fangene Druckbefehlssignal gultig ist, und um den 
Druckkopf in die Lage zu versetzen, nur dann zu 
drucken, wenn das Druckbefehlssignal als gultig 
befunden worden ist. 

9. Transaktionsstation nach einem der Anspruche 7 
und 8, dadurch gekennzeichnet, daB das zu druk- 
kende sichtbare Zeichen ein Postzeichen mit einem 
Portobetrag ist, und der Druckkopf-Mikroprozessor 
(41 ) betreibbar ist, um das gespeicherte Programm 
auszufuhren, um einen Autentifizierungscode zu 
erzeugen, der in einzigartiger Weise dem zu druk- 
kenden Portobetrag entspricht. 

10. Transaktionsstation nach einem der Anspruche 7 
bis 9, dadurch gekennzeichnet, daB das zu druk- 
kende sichtbare Zeichen ein Postzeichen mit einem 
Portobetrag ist, und der Druckkopf-Mikroprozessor 
(41) betreibbar ist, um das gespeicherte Programm 
auszufuhren, um den Portobetrag als einen Strich- 
code (83a, 83b) zu verschtusseln und den Strich- 
code als den unsichtbaren Autentifizierungscode 
mit dem Postzeichen zu drucken. 

11. Transaktionsstation (20) nach einem der Anspru- 
che 6 bis 10, umfassend eine Einrichtung zur Auf- 
nahme einer Benutzerkarte (1 0) mit einem Speicher 
und einem Mikroprozessor (60) zum Ausf Qhren von 
gesicherten Transaktionen, bei denen ein Artikel 
oder ein Wertposten ausgegeben und ein Konto- 
stand in dem Speicher debitiert wird. 

12. Verwendung eines modularen Druckers, wie in ei- 
nem der Anspruche 1 bis 5 beansprucht, in einer 
Transaktionsstation. 



Revendicatlons 

1. Une imprimante modulaire, destinee a un terminal 



(20) de transactions, qui comporte une section d'en- 
tree (31) pour entrer une demande d'impression 
d'un marquage de valeur et une section d'exploita- 
tion (30] pour permettre au terminal d'ex6cuter I'im- 
s pression du marquage de valeur demandee sur un 
article, caracterisS en ce que 

□ I'imprimante modulaire (40] inclut une tete d'im- 
pression et un microprocesseur specialise (41 ) 
pour commander la tete d'impression, attaches 
physiquement en permanence entre eux, de fa- 
con que le microprocesseur [41] de tete d'im- 
pression ne puisse pas elre physiquement ma- 
nipule frauduleusement sans mettre hors ser- 
vice la tdte d'impression; 

□ Timprimante modulaire est montee de facon 
amovible dans le terminal (20); et 

□ I'imprimante modulaire inclut une interface cou- 
plee au microprocesseur (41 ) de t6te d'impres- 
sion pour &tablir une connexion de trajet de 
donnSes Sexploitation vers la section Sexploi- 
tation (30) du terminal pour recevoir du terminal 
[20] un signal d'instructions d'impression. 

2. Une imprimante modulaire selon la revendication 1 , 
caracterisee en outre en ce qu'une premiere ali- 
mentation en encre est agencee pour alimenter la 
tete d'impression en encre visible lisible par les per- 
sonnes, une deuxieme alimentation en encre est 
agencee pour alimenter la tdte d'impression en en- 
cre invisible, lisible a la machine, et le microproces- 
seur (41) de tete d'impression inclut un programme 
memorise pour commander la t§te d'impression 
lorsqu'il regoit du terminal un signal d'instructions 
d'impression, afin d'imprimer un marquage lisible, 
d'une encre visible provenant de la premiere ali- 
mentation d'encre, de deriver un code d'authentifi- 
cation qui correspond de facon speciale aux mar- 
quages visible, et d'imprimer le code d'authentifica- 
tion en tant que marquage invisible au moyen d'une 
encre invisible provenant de ('alimentation en encre 
invisible, grace a quoi le marquage imprime peut 
§tre v6rifie ulterieurement comme authentique en 
lisant a la machine le code invisible d'authentifica- 
tion et en le comparant au marquage visible. 

3. Une imprimante modulaire selon la revendication 2, 
dans laquelle le microprocesseur (41 ) de tete d'im- 
pression inclut un programme memorise de securi- 
ty pour valider que le signal d'instructions d'impres- 
sion recu du terminal (20] est bien valide et pour ne 
permettre a la tete d'impression d'imprimer que si 
le signal d'instructions d'impression a 6te valide. 

4. Une imprimante modulaire selon Tune quelconque 
des revendications 2 ou 3, dans laquelle le marqua- 
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ge visible a imprimer est un cachet postal incluant 
une valeur de timbrage et !e microprocesseur (41) 
de tdte depression peut etre mis en oeuvre pour 
exScuter le programme memorise" afin d'engendrer 
un code d'identification correspondant uniquement s 
a ta valeur de timbrage a imprimer. 

5. Une imprimante modulaire selon Tune quetconque 
des revendications 2 ou 3 dans iaquelle le marqua- 

ge visible a imprimer est un cachet postal incluant to 
une valeur d'affranchissement, et le microproces- 
seur [41) de tete d'impression peut etre mis en 
oeuvre pour executer le programme memorise" afin 
de chiffrer le montant de I'aff ranch issement sous 
forme de code a barres (83a, 83b) et d'imprimer le ts 
code a barres en tant que code invisible d'authen- 
tification avec le cachet postal. 

6. Un terminal (20) de transactions comprenant: 

20 

□ une section d'entr6e (31 ) pour entrer une de- 
mande d'impression d'un marquage de valeur; 

□ une section Sexploitation [30) pour permettre 

au terminal d'ex6cuter Pimpression du marqua- 25 
ge de valeur demande sur un article; et carac- 
terise" par 

□ une imprimante modulaire mont6e de facon 
amovible dans le terminal [20) et incluant une so 
tete d'impression d'un microprocesseur specia- 
list (41 ) de commande de la t§te d'impression, 
assembles physiquement en permanence en- 

tre eux de facon que le microprocesseur [41) 
de t§te d'impression ne puisse pas etre physi- 35 
quement manipuld frauduleusement sans met- 
tre hors service la tate d'impression, et une in- 
terface coupl6e au microprocesseur (41 ) de tS- 
te d'impression pour etablir une connexion de 
trajet de donnSes Sexploitation vers la section 40 
Sexploitation (30) de terminal pour en recevoir 
un signal ^instructions d'impression. 

7. Un terminal de transactions selon la revendication 

6, dans lequel une premiere alimentation en encre 45 
est agenc6e pour alimenter la tete d'impression en 
encre visible lisible par les personnes, une deuxie- 
me alimentation en encre est agenc6e pour alimen- 
ter la tete d'impression en encre invisible, lisible a 
la machine, et le microprocesseur (41 ) de tdte d'im- so 
pression inclut un programme m6moris6 pour com- 
mander la tete d'impression lorsqu'il recoit du ter- 
minal un signal d'instructions d'impression, afin 
d'imprimer un marquage lisible, d'une encre visible 
provenant de la premiere alimentation d'encre, de 55 
derive r un code d'authentification qui correspond de 
facon spSciale aux marquages visibles et d'impri- 
mer le code d'authentification en tant que marquage 



invisible au moyen d'une encre invisible provenant 
de I'alimentation en encre invisible, grace a quoi le 
marquage imprime' peut etre vtrifie" ulte>ieurement 
comme authentique en lisant a la machine le code 
invisible d'authentification et en le comparant au 
marquage visible. 

8. Un terminal de transactions selon la revendication 
7, dans lequel le microprocesseur (41 ) de tdte d'im- 
pression inclut un programme memorise* de securi- 
ty pour valider que le signal d'instructions d'impres- 
sion recu du terminal (20] est bien valtde et pour ne 
permettre a la tete d'impression d'imprimer que si 
le signal d'instructions d'impression a 6te" valide. 

9. Un terminal de transactions selon Pune quelconque 
des revendications 7 ou 8, dans lequel le marquage 
visible a imprimer est un cachet postal incluant une 
valeur de timbrage et le microprocesseur (41) de 
tete d'impression peut etre mis en oeuvre pour exe- 
cuter le programme m6moris6 afin d'engendrer un 
code d'identification correspondant sp6cialement a 
la valeur de timbrage a imprimer. 

10. Un terminal de transactions selon I'une quelconque 
des revendications 7 a 9 dans Iaquelle le marquage 
visible a imprimer est un cachet postal incluant une 
valeur d'affranchissement, et le microprocesseur 
[41] de tete d'impression peut etre mis en oeuvre 
pour executer le programme memorise afin de chif- 
frer le montant de I'aff ranch issement sous forme de 
code a barres (83a, 83b] et d'imprimer le code a bar- 
res en tant que code invisible d'authentification 
avec le cachet postal. 

11. Un terminal (20) de transactions selon I'une quel- 
conque des revendications 6 a 10, comprenant un 
moyen de reception d'une carte (1 0] d'utilisateur qui 
inclut une mSmoire et un microprocesseur (60) pour 
executer des transactions securisSes dans lesquel- 
les un article ou un produit de valeur est distribue 
et un solde de compte est d£bit£ dans ladite m6- 
moire. 

12. Utilisation d'une imprimante modulaire selon Tune 
des revendications 1 a 5 dans un terminal de tran- 
sactions. 
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